What is Multi-Factor Authentication (MFA), and How Does it Work?
by Christopher Trick, on Feb 15, 2022 6:37:18 PM
As cyberattacks become increasingly sophisticated, traditional security methods such as requiring a username and password prove to be inadequate safeguards against unauthorized access.
In this blog, you'll learn the importance of multi-factor authentication and how it ensures maximum protection of a computing system.
What is multi-factor authentication?
Multi-factor authentication (MFA) is a security technology that requires at least two authentication methods from different types of credentials to verify a user's identity for a login or other transaction.
To be granted access, users need to provide information regarding what they know (i.e. a password), what they have (i.e. a security token), and what they are (i.e. facial recognition).
Currently, almost 60 percent of businesses worldwide use some form of multi-factor authentication.
The primary goal of MFA is to make it more difficult for unauthorized personnel to access a target--location, computer/system, network, or database--through creating multiple layers of defense.
If cybercriminals break through one layer, having MFA in place provides extra layers of protection before they can get to the object of interest.
Previously, multi-factor authentication systems mainly were built on two-factor authentication (TFA), meaning two layers of authentication are required before any action is authorized. Some examples include a password or PIN (personal identification number) on ATMs.
However, TFA proved to be ineffective as hackers found ways to access passwords and PINs, prompting companies and vendors to find stronger security methods.
More recently, the term multi-factor has been used to describe any authentication process requiring two or more credentials.
Why is multi-factor authentication important?
Traditional security practices like requiring a username and password prove to be increasingly weak protections against cyberattacks, potentially costing organizations millions of dollars. (The average cost of a data breach is said to be more than $4.2 million.)
Username and password combinations can easily be guessed, as cybercriminals use password cracking tools to try different usernames and passwords until they gain access.
And though many systems do lock users out after a certain number of incorrect attempts, there are other ways for hackers to gain access to a system.
Multi-factor authentication helps reduce the risk of attacks by providing extra layers of protection even if unauthorized personnel crack one of the layers.
What are some examples of multi-factor authentication?
Each credential used to verify a user's identity is called an authentication factor.
The purpose of requiring multiple credentials is to ensure that the entity trying to gain access is, in fact, who or what it says it is, making a hacker's job increasingly difficult.
There are three common authentication factors: knowledge, possession, and inherence.
Let's take a look at each in detail:
Knowledge factors are what an entity knows. Often, this is a code or the answer to a personal security question.
Some examples of knowledge factor technologies include passwords, four-digit PINs, or one-time passwords (OTPs).
Here are some situations in which a knowledge factor is required:
- You go to the grocery store and purchase an item with a debit card. Before the purchase is authorized, you need to enter a PIN.
- When you are trying to log into a CRM system or your bank account, they send you a one-time six-digit code to enter before you can access an account.
- When trying to access an investment account, you are asked to provide information to questions such as "What is your mother's maiden name?" or "What was the first concert you went to as a child?"
But this information can easily be guessed or stolen, which necessitates requiring other credentials before any entity gains access.
Four-digit PINs are used to further verify a user's identify before he or she is granted access to a system.
Possession factors are what an entity has, which they must present before accessing a system. These credentials can take the form of a badge, token, key fob, or phone subscriber identity module (SIM) card.
Some examples of possession factor technologies are:
- Security tokens, small hardware devices that store a user's personal information and electrically verify his or her identity. These can take the form of a smart chip, an embedded chip like a Universal Serial Bus (USB) drive, or a wireless tag.
- Software-based security token applications that generate a one-time login PIN. For mobile, soft tokens are used, in which the device itself provides the possession factor authentication.
Here are some situations in which a possession factor is required:
- When you receive a code via your smartphone to gain or grant access, also known as mobile authentication. This can take the form of text messages, phone calls, smartphone OTP apps, SIM cards, and smart cards with stored authentication.
- When you attach a USB drive to a computer and it generates an OTP for you to use to login.
Inherence factors are any biological traits that an entity has that are needed for access. These credentials can take the form of fingerprints, facial features, or voice recognition.
Some examples of inherence factor technologies include retina or iris scans, fingerprint scans, voice authentication, hand geometry, digital signature scanners, facial recognition, or earlobe geometry.
A biometric device is needed to recognize these traits, composed of a reader, a database, and software to convert the scanned data into a standardized digital format and compare match points to the data already stored.
Here are some situations in which an inherence factor is required:
- When you use your smartphone, you are asked to scan your fingerprint or face before access is granted.
- You are asked to sign at checkout before the purchase is authorized when you go to a retail store and make a purchase with a debit card.
Other authentication factors
- User location is sometimes used, as most people carry their phones around with them, and the Global Positioning Feature (GPS) on a smartphone can help verify the login location. For instance, an employee who always carries his phone with him tried to log into his company's database in Lawrenceville, Georgia. It can be confirmed that it was, in fact, this person by locating him through the GPS feature on his phone.
- Time-based authentication is useful in detecting a person's presence at a specific time of day when a system was accessed. For instance, it's highly unlikely that someone in Tallapoosa, Georgia, could make a withdrawal from his bank account in Paris, France, 15 minutes later.
What are the pros and cons of multi-factor authentication?
Though multi-factor authentication has many upsides, there are some downsides, too.
Let's take a look at the pros:
- It strengthens security at the hardware, software, and personal identification levels.
- It uses one-time passwords or codes sent to phones in real-time, making it very difficult for hackers to gain access.
- It reduces data breaches by more than 99 percent.
- It is easy for users to set up.
- It gives businesses the option to restrict access through the filters of day or location.
Let's take a look at the cons:
- To get a code, you need to have access to a phone.
- Hardware tokens can be lost or stolen.
- Your phone can also be lost or stolen.
- Sometimes biometric data like thumbprints are not always accurate and can create false positives and negatives.
- If there is a network or internet outage, verification can fail.
- Verification techniques constantly need to be updated to protect against cybercriminals.
Are there any improvements to make with multi-factor authentication?
Each additional security factor to multi-factor authentication makes it more difficult to navigate for users who need to remember multiple passwords.
So, it is important to simplify MFA for users.
Here are three solutions:
- Adaptive MFA: This means knowledge, business rules, or policies are applied based on factors such as a user's device or location. For instance, a company's virtual private network (VPN) allows a user to sign on from home because it can assess the risk of misuse or compromise. If a user tries to access the network from a deli, the system will be triggered, and the user will be asked to provide MFA credentials.
- Single sign-on (SSO): This means that users can be logged into multiple applications or websites with a single ID and password, as the user's identity is established by the first login and then shared with the applications. For instance, once someone logs into Google Drive, they are automatically logged into other Google applications they have, such as Gmail, Docs, and Sheets.
- Push authentication: This is an automated mobile authentication technique where the security system issues a third, one-time identification code to the user's mobile device, so users are not stuck with remembering it. For instance, users will need to enter a username and password to access a secure system. The security system will automatically issue a third, single-use identification code to their mobile device. This code will be the final barrier to access.
As cybercriminals become more advanced in their methods, security measures must evolve to protect against such threats.
Additionally, single-layer security tactics are proving to be relatively ineffective, as usernames and passwords can easily be guessed using various tools and tactics.
Though imperfect, multi-factor authentication provides additional layers of system hardening to protect critical data and thwart hacker attacks.
At Trenton Systems, our engineers spend countless hours perfecting multi-layer cybersecurity options, including multi-factor authentication, to provide complete protection across the hardware, firmware, and software layer stack.
With Next-Gen encryption and the latest cybersecurity technologies, our high-performance compute solutions help prevent unauthorized access to ensure optimal performance across all domains of the modern battlespace, no matter where the mission leads.